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Abstract 

We show that computational problem of testing the behaviour of quantum circuits is hard for 
the class of problems known as Q M A that can be verified efficiently with a quantum computer. This 
result is a generalization of the techniques previously used to prove the hardness of other problem on 
quantum circuits. We use this result to show the QM A-hardness of a weak version of the problem of 
detecting the insecurity of a symmetric-key quantum encryption system, or alternately the problem 
of determining when a quantum channel is not private. We also give a Q M A protocol for the problem 
of detecting insecure encryption to show that it is QMA-complete. 

1 Introduction 

Testing the behaviour of a computational system is a problem central to the study of quantum comput- 
ing. This is the problem faced by an experimentalist who has implemented a quantum computation 
and wants to check that the implementation behaves (approximately) correctly on all input states. An 
efficient solution to this problem would allow for the verification that a circuit provided by an untrusted 
party correctly implements some desired operation. Unfortunately we show in a general model that 
even a weak version of this problem is likely to be computationally intractable and so any solution to 
this problem will need to make essential use of the structure of the operation that the circuit is supposed 
to implement. The problem we consider is, given a quantum circuit, to decide between two cases: either 
the circuit acts in the desired way on all input states, or the circuit misbehaves, acting in some malicious 
way on a large subspace of input states. This problem is QMA-hard even when both the desired and 
malicious behaviour are known (i.e. specified by uniform families of quantum circuits). 

The class QMA is the set of all problems that can be verified up to bounded error on a quantum 
computer. Several problems are known to be complete for QMA: these problems can be thought of as 
alternate characterizations of the class, as they capture exactly the power of this computational model. 
The first of these complete problems is the problem of determining the ground state energy of a local 
Hamiltonian. This was first shown to be complete on fc-local Hamiltonians [15] for k > 5, before the 
problem was shown to remain hard in the 2-local case [3. The problem of determining if local descrip- 
tions of a quantum system are consistent is also known to be QMA-complete Oil, though only under 
Turing reductions. Other problems related to finding ground states of physical systems are also known 



to be complete for QMA l2fll211. 

There are also problems on quantum circuits that are known to be QMA-complete. The first of these 
is the Non-identity check problem which given as input a unitary quantum circuit, the problem is 
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to decide if there is an input on which the circuit acts non-trivially or if the circuit is close to the identity 
for all input states. The problem of determining if a circuit is close to an isometry (i.e. a reversible 
transformation that maps pure states to pure states) is also known to be QM A-complete llal . 

In this paper we generalize the hardness proofs of [l3, 18] to show that the QMA-hardness of the 
problem of testing the properties of the outputs of quantum circuits. More specifically we define the 
circuit testing problem, which has as parameters two uniformly generated families of quantum circuits 

and ^2- The problem is do decide, given an input circuit C, whether C acts like circuits from the 
family c €\ on a large input subspace, or whether C acts like circuits from for all input states. Using 
this result we reprove the QMA-hardness of non-identity check and non-isometry testing by making 
choices for the families and S^- We also show that some other circuit problems are hard, such asa 
version of finding the minimum output entropy (this is similar in spirit to the results in @| , though our 
model is incompatible), or determining when a channel has an pure (approximate) fixed point. 

It is important to note that, despite the name, this problem is not related to property testing. In this 
problem we have a significantly weaker promise — in one case the circuit only behaves in a certain way on 
a subspace of the input. For an input space of dimension d, this subspace can be as large as d l ~ 5 for an 
arbitrary constant 5 > but this subspace is still far from the whole input space. Essentially the problem 
is to detect if the circuit behaves in a certain way only when a specific input state is provided on some 
subset of the input qubits. Note also that while we can use this problem to show the QMA-hardness of 
several circuit problems, this technique does not show that these problems are in QMA. 

We then apply this hardness result to the problem of detecting insecure quantum encryption. This 
is the problem of deciding, given a quantum circuit that takes as input a quantum state as well as a clas- 
sical key, whether this circuit is g-close to a perfectly secure encryption scheme (i.e. a private quantum 
channel 0.0). or whether there is a large subspace of input states that the circuit does not encrypt at all 
(up to error s). To show that this problem is hard, we argue that this problem contains as a special case 
an instance of the circuit testing problem. Finally, we give a QMA verifier for this problem to prove that 
it is QM A-complete. 

The remainder of the paper is organized as follows: Section [2] contains some mathematical back- 
ground, a definition of the class QMA, and a discussion of private quantum channels. The hardness of 
the circuit testing problem is shown in Section|3j Finally, Section|4]contains the proof that the problem 
of detecting insecure encryption is QM A-complete. 



2 Preliminaries 
2.1 Background 

Throughout the paper we let #6 ',Jf ' ,3C represent (finite-dimensional) Hilbert spaces. The pure 
quantum states are simply the unit vectors in these spaces. The set of density matrices on a space Jtf 
is denoted D(J^f ): these are the positive semidefinite operators with unit trace. We will use the notation 
T(Jff, JT) to represent the set of channels that map states in D(Jtff) to states in D(J^). More formally, 
these transformations are exactly the completely positive trace preserving linear maps from L(Jtf? ) to 
L(JT), where we use L(J^f) to denote the set of all linear operators on #6. 

To measure the distance between quantum states we will make extensive use of the trace norm, 
which for a linear operator X can be defined as ||X|| tr = tr V X*X. A useful alternate characterization 
is that \\X\\ U is the sum of the singular values of X, or, in the case of a normal operator, the sum of the 
absolute values of the eigenvalues. One important property of the trace distance lip - a II between two 
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states is that it is monotone nonincreasing under the application of quantum channels. 

We will also need the intuitive property that two states that are close together in the trace norm 
produce similar measurement outcomes. This can be derived from the fact that an expression involving 
the trace norm gives the maximum probability that two states can be distinguished |l2f|. 

Lemmal. LetX& L(J*f) satisfyO < X< 1. Then 

tr(Xp)<tr(X<7) + ||p- CT || ti . 

In addition to the trace norm, we will also need a distance measure on the quantum channels. 
Such a measure is given by the diamond norm, which for a linear map $ : LfJtf? ) — » L(J^) is given by 
||$|| = sup XeL ^ 8 ^ ||($® Ijf )POIItr/ll^lltr- See [l5fl for an alternate definition and some further prop- 
erties of this norm. In the case that $ is the difference of two completely positive maps, we may re- 
place the supremum in the definition of the diamond norm with a maximization over pure states in the 



space |19|]. Similarly to the trace norm, the diamond norm can be used to characterize the dis- 

tinguishability of two quantum channels: here the fact that the definition involves a reference system 
captures the fact that the optimal strategy to distinguish two channels may involve the use of entangled 
input states. 

Since we consider computational problems on quantum channels, we must specify how they are to 
be given as input. For this we use the mixed-state circuit model, first defined in where circuits are 
composed of some (universal) collection of the usual unitary gates, plus a gate that introduces ancillary 
qubits in the |0) state and a gate that traces out (i.e. discards) qubits. For simplicity we will assume that 
all Hilbert spaces we encounter are composed of qubits, i.e. that the dimension is always a power of two, 
though this is not strictly needed. 

We use this circuit model because it can (approximately) represent any quantum channel, and in 
the case of efficient quantum circuits this representation is of size polynomial in the number of input 
qubits. Using circuits does not (significantly) restrict the applicability of our hardness results: they also 
apply in any model that can efficiently simulate the circuit model, such as the model of measurement 
based quantum computation. 

2.2 QMA 

In order to prove results about the class QMA, we give a formal definition. A language I is in QMA if 
there is a quantum polynomial-time verifier V such that 

1 . if x e L, then there exists a witness p such that Pr [ V accepts p]>l — e, 

2. if x ^ L, then for any state p, Vr[V accepts p] < e, 

The exact value of the error parameter s is not significant: any s < 1/2 that is at least an inverse polyno- 
mial in the input size suffices H^. E^1. 

Let L be an arbitrary language in QMA, and let x be an arbitrary input string. Our goal will be to 
encode the QM A-hard problem of deciding if x e L into the problem of detecting an insecure encryption 
circuit. To do this it will be convenient to represent the verifier as a unitary circuit V, which represents 
the algorithm of the verifier in a QMA protocol on some input x. We may "hard-code" the input string x 
into the circuit for V, since the circuit V needs only to be efficiently generated given x. 

The algorithm implemented by the verifier in an arbitrary QMA protocol is given in Figure [TJ The 
verifier receives a witness state \ip), applies the unitary V on the witness state and any ancillary qubits 
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Figure 1: Verifier's circuit in a Q MA protocol. The verifier accepts the witness state \ip) if and only if the 
measurement in the computational basis results in the |1) state. 
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Figure 2: Example implementation of the completely depolarizing channel f2 on three qubits. In order 
to obtain a private channel the state the qubits in the |+) state are replaced by a classical key k to obtain 
the channel fifc. 

needed, and finally measures the first output qubit to decide whether or not to accept. Any qubits not 
measured are traced out. One of the main results of this paper is a reduction from an arbitrary QMA 
verifier to the problem of testing the behaviour of quantum circuits. 

2.3 Private Quantum Channels 

Quantum channels that are secure against eavesdroppers are those channels for which the input state 
cannot be determined by the output. These channels can also be viewed as encryption systems: the key 
is simply the environment space of the channel, which, when combined with the output state, allows 
the input to be recovered. We restrict attention to private channels of a special form: those which allow 
the input to be recovered not with the quantum state of the environment but instead with a classical 
key that can be pre-shared between two parties that wish to establish a secure quantum channel. These 
channels, called, private channels, were introduced and studied in 0,0- 

An important example of a private quantum channel is the completely depolarizing channel. This 
is the channel Q that maps any input to the completely mixed state. One circuit implementation of this 
channel is given in Figure 12 

In order to use the completely depolarizing channel as a private channel we must add a key. This can 
be done to the implementation in Figure|2]by replacing the qubits in the |+) state with a classical string. 
The result is a channel that applies a key-specified Pauli to each of the input qubits. We will refer to this 
channel as when a specific key is used. Notice that if e T(J^f), then \k\ = 2logdim^f, i.e. we use 
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two key bits for each encrypted qubit. In the case of a perfect encryption channel this rate of two key bits 
per qubit is optimal j3,Sl3|. When the key k is unknown and uniformly distributed, the channel fit is 
identical to Q, i.e. if the key k is uniformly distributed in {0, . . . , 2 m — 1} we have 



We use the following definition of an approximately private channel (i.e. secure encryption). 

Definition 2. Let £ be a channel that takes two inputs: an integer k € {1, . . . , K} and a quantum state in 
and produces an output in X. where dim J^" < dimJif. For a fixed value of k we write E k {-) = E[k,-). 
We call E as -private channel if 

1. There is a decryption channel, i.e. there exists a channel D: {1, . . . , K] ® D(J^) — > D(^f ) such that 



where the size of the circuit for D is bounded by a polynomial in the size of the circuit for E. 
2. Without the key k, the output of E has almost no information about the input state, i.e. 



where f2 e T(^, JT) is the depolarizing channel that maps all inputs to 1 ^ / dim J^. 

The use of the diamond norm in this definition is significant: we require that both conditions hold 
even for part of an entangled state. Specifically, a channel satisfying this definition both preserves any 
entanglement with the transmitted state is and remains secure even in the case that an eavesdropper 
is entangled with the input. We use this strong definition because one of the main results of the paper 
is a hardness result: distinguishing secure and insecure encryption remains hard even when the secure 
encryption is promised to be secure in this strong model. Our hardness result remains true for the weaker 
model of private channels using only the trace norm. 

This definition is a strengthened version of the model used by Ambainis and Smith Q|, who define 
security in a similar way, but only against adversaries that are not entangled with the input state. Another 
similar model is considered by Hayden et al. [n|], which also does not consider entangled adversaries, 
but uses a stronger bound involving the operator norm. The hardness result in this paper does not apply 
with respect to this stronger bound. 

Like the perfect encryption schemes found in 0,0], the encryption scheme constructed by our re- 
duction uses 2log<i key bits to encrypt a state of dimension d. As argued (implicitly) in this is 
essentially optimal: any scheme using fewer than 2logrf(l — poly(e)) key bits cannot be secure against 
entangled adversaries. 

3 Testing Circuits 

The problem of testing the behaviour of a quantum circuit can be informally stated as: given a circuit 
C, decide between two cases, either the circuit acts like some known circuit Co on a large subspace of 
the input, or the circuit acts like some other known circuit Q on the whole input space. We use uniform 
circuit families and c €\ since it is important that the circuit C, which is provided as input, takes the 
same number of input and output qubits as the circuits Co and Q. 




(1) 



for all k 



\\D k oE k -lje\l<e, 
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Problem 3 (Circuit Testing). Let < e <1, < 5 < 1, and c €\ be two uniform families of quantum 
circuits. The input to the problem is a circuit C e T{3C , <W). Let Co, C\ be the circuits drawn from c €q and 
that take as input states on 3C . The promise problem is to decide between: 

Yes: There exists a subspace S of 30 with dimS > (dim,'3f ) 1-5 such that for any reference space 52 and 
anyp eD(S®J) 

||(C® a.#)(p)- (Co ® a,^Xp)|| tr < b, 

No: || C — Ci || < e, i.e. for any reference space 52 and any p e Jtf? <8> ^ 

||(C® l*)(p) - (Ci l*)(p)|| tr < e. 

When the values of s, 5, ^q, and <€\ are significant we will refer to this problem as CT(e, 5, ^i). 

This problem is well-defined only for families c €§ and c €\ that do not violate the promise, i.e. any 
circuits whose output is not too close together. These are the circuits Co and C\ such that there does not 
exist a subspace T of J*? of size dim T > dim J?? 5 such that for any input states p eD(I®^)we have 
||(Co ® l.#)(p) - (Ci ® l^)(p)|| tt < 2£, i.e. there does not exist a large subspace of pure states on which 
Co and Ci produce output that is close together. This condition can be difficult to verify, but in many 
applications it is easy to see that the two circuits do not agree on too many pure states. The application 
of this hardness result to detecting insecure encryption, for instance, uses Co as the identity and C\ as 
the completely depolarizing channel, and these two circuits never agree on a pure input state. We are 
able to prove that this problem is QM A-hard for any circuit families that satisfy this condition. 

Notice also the special case 5 = 1: here the CT problem asks if there are any input states on which the 
circuit C behaves like Co or if it behaves like C\ for all input states. In this case the problem is well-defined 
for any families <<»o and ^\ that do not agree on the whole space (up to error 2s). 

Concerning the parameters e and 5, we may take e = 2~p for any polynomial p using an amplification 
result for QMA IB, 17], and we may take 5 to be any constant satisfying < 5 < 1. 



3. 1 Testing Circuits is QMA-hard 

To show the hardness of CT we use a reduction from an arbitrary problem in QMA. This involves em- 
bedding the verifier in a QMA protocol into an instance of CT with the property that the resulting circuit 
runs Co if the Verifier can be made to accept and runs Ci if the Verifier cannot be made to accept. 

Formalizing this notion, let L be an arbitrary language in QMA and let x be an input string. The 
QMA-complete problem is to decide whether or not xei. Since L e QMA, there exists some unitary 
circuit V ® j4 — > which can be constructed efficiently from x such that if x e L, there exists a pure 
state | xp) eJif such that measuring the first qubit of V{\xp)®\Q)) results in |1) with probability at least 1— e, 
whereas if if x £ L, then for any state \ip) a measurement of V(\ip) ® |0)) results in |1) with probability at 
most s. By using standard error-reduction techniques for QMA, we may take s to be negligible in the 
size of the circuit for V Il^.lr7ll . Notice also that the restriction to pure witness states \ip) can be made 
without loss of generality using a convexity argument. 

Our goal is to show that CT is hard for as many choices of parameters as possible. To this end, let 
5 > be constant and let c 6q and ^\ be uniform circuit families on which the problem CT(3v / f, 5, ^o, ^l) 
is well-defined. These are any families = {C/,„ : n > 1}, where the circuit C,> takes an n qubit input 
state, such that for any n the circuits Cq,„ and Ci t „ do not produce outputs that are not too close together 
on some large subspace of pure input states. In particular, we require that for all n, there does not exist a 
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Figure 3: Circuit output by the reduction. The circuit V is the unitary circuit applied by the QM A verifier 
for the language L. The circuit [/; is the unitary circuit obtained from Q by removing the gates that 
introduce ancillary qubits and trace out qubits. 

subspace T of the rc-qubit input space 'X with dim T > dim X s such that for any states peD(r®S?)we 
have ||(C ® l»)(p)- (Ci 8 a,^Xp)|| tr < 6je. 

The key idea to the reduction is that we construct a circuit that takes an input state and applies the 
unitary V to a portion of it, makes a 'copy' of the output bit with a controlled-not gate, and then applies 
V*. If the result of the QMA protocol would have been the verifier accepting (i.e. the copy of the output 
qubit is measured in the |1) state), then we apply the circuit Co- On the other hand, if the output qubit 
was in the |0) state, we apply the circuit C\ . This results in a circuit that applies Co if and only the input is a 
state the Verifier in the QMA proof system accepts. In order to guarantee that the subspace of accepting 
states in large enough, we add dummy input qubits that are ignored by the circuit V but are acted on 
by either Co or C\ . By adding enough of these qubits, we can ensure that if there is at least one state V 
accepts, then the result is a large subspace of states that are accepted. 

The full construction of the circuit produced by the reduction is shown in Figure|3l Before describing 
the circuit, we fix the notation that we will use. Let Co and C\ be circuits drawn from c €q and c €\ imple- 
menting transformations in 1{X , W), where 3£ = J? 8 and W = & ® , using the spaces , from 
the QMA Verifier for L. Further, we may let dim = fdim j^fC 1-5 )/^ 1 , since we are free to take any poly- 
nomial number of input qubits to Co and Ci . We also assume without loss of generality that these circuits 
are implemented by circuits that apply unitary circuits mapping 3C 8 j4 — » 'Bf 8 t S, where the space j4 
holds any ancillary qubits needed by the circuit (initially in the |0) state) and the space <§ represents the 
qubits traced out at the end of the computation. Any mixed- state circuit can be efficiently transformed 
into a circuit of this form by moving the introduction of ancillary qubits to the start of the circuit and 
delaying any partial traces to the end of the circuit. We may also assume that both the circuit V and 
the circuits Co and C\ use ancillary spaces j4, of the same size, by simply padding the circuits using a 
smaller space with unused ancillary qubits. 

Let C be the circuit in Figure |3j This circuit takes as input a quantum state p on the space X = 
& 8 This circuit first applies V to the portion of p in Jtf? as well as any needed ancillary qubits in 
the space M '. Next, the circuit makes a classical copy of the 'output bit' of V, which is used as a control 
for the application of the circuits Co and d . The circuit V* is then applied, so that the result (provided 
that V accepts or rejects with high probability) is a state that is close to the input state plus a qubit that 
indicates whether V accepts or rejects the input state. The circuit then applies Co if V accepts and C\ if V 
rejects. These circuits use the same ancillary space j4 as the circuits V and V*, but as long as the Verifier 
V either accepts of rejects the input state with high probability these ancillary qubits will be returned to 
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the |0) state, up to trace distance 2s[e. 

Before proving the correctness of the reduction, it will be convenient to write down some of the 
states produced by running the constructed circuit C. Let p be an arbitrary input state in D(J^f ® J^) and 
let \ip) e .ft '®^ ' be a purification of p. The order of the spaces 2ff and has been changed for 
notational convenience. After applying the unitary V to the portion of | i/') in M ', the state can be written 
as 

|0)=(^®lj*®l«XI^)®|O)), 

where the |0) qubits are in the space j4 . Then, there exist states |0o)>l0i) on all but the first qubit of 
Jf® such that 

i0) = yr^io) ® |0 O > + v^id ® i0i> 

where < p < 1 is exactly the probability that the Verifier accepts in the original protocol on input tr^r p . 
Applying the controlled-not gate results in 

|0'> = v^plOO) ® |0 O > + v^l 11 ) ® I0i>- 
We then bound the trace distance of \(j>') to \0)\ip) and |1)| ip). In the case of \0)\ip) we have 

|||0O(0V|O)(O|®|0)(0||| & = 2^/l-|(0lO0)| 2 = 2V , l-(l-p) 2 <3 v ^, (2) 
and in the similar case of \l)\ip) we have 

|||^(0l-|l)(l|®l0)(0l|| tt = 2^1-|(0ll0)| 2 = 2 A /l-p 2 <3 V / T :: p. (3) 

These two equations show that, when p is close to or 1, the fact that we make a classical copy of the 
output qubit does not have a large effect on the state of the system. (This fact can also be argued from 
the Gentle Measurement Lemma [22].) The remainder of the circuit then applies V* and, depending on 
the value of the control qubit, one of Co and C\ . We consider two cases, which are argued in two separate 
propositions. 

Proposition 4. Ifx<eL, then there exists a subspace S of X with dimS > dim X 1-5 such that for any 
reference system g% and any peS®^ 

||(C® lmW)W\) ~ (Co ® l^Xl^^lL < 3VS. (4) 

Proof. If x e L, then there is some input state \ip) on which the Verifier accepts with probability p > 
1 — e. Applying the remainder of the circuit, up to the partial trace, to the state |1)|0) results in the state 
|l)®(t/i®laX|j/j)®|0)). Tracing out the space <g as well as the copyofthe output qubit, results in exactly 
the state Xi<g{Ui ® l^XI^X^I ® |0)<0|)(L/J ® U«) = (Ci ® 1<&XIV') («/>!)• This is not q uite e °L Ual t0 the output 
of the constructed circuit C, however, as in this evaluation we have replaced the state \(p') with the state 
1 1) 1 4> ) . However, using the monotonicity of the trace norm under quantum operations, the remainder of 
the circuit cannot increase the norm of the two states, and so applying Equation (3) , we have 

||(C® laXI^XV"!) - (Co ® l*XM)(V'l|| tt < 3 v 7 ! " P < 3i/s. (5) 

It remains to show that this occurs on a large subspace of = J*? ® & . Since we have assumed the 
Verifier V accepts with high probability on the state \ip), this implies that there is some state \y) € for 
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which V also accepts with probability at least 1 — e, as V ignores the qubits in & . Then, since \ip) was 
arbitrary, Equation 10 also applies to \j) ® |£) e for any state \E,) e 3? . The subspace S of states 

whose reduced state on ffl is equal to \y) has dimension dim^. Then, since dim^= [dim^ 1 " 5 V5j ) 
we have 

dimJT = dim^f <g> J" = dimJfdim^ < dimJ? 5/(1 ~ 5) dimJ? = dim^ 1/(1 - 5) , 

which implies that dim^ > dim X 1-5 , as required. Thus, when xel the Verifier V can be made to 
accept, and so the result is a yes instance of CT. □ 

The remaining case is when x <j£ L, i.e. the Verifier V rejects every state with high probability. This 
proof of this case is extremely similar to the previous one. 

Proposition 5. Ifx <j£ L, then for any reference system M and any p e X <8> 5? , 1 1 C — Ci 1 1 < 3 

Proof. This proof is similar to the proof of Proposition |U If x <j£ L, then V accepts any state \ip) with 
probability p < s. If we consider applying V* and the remainder of the circuit to the state |O)|0), the 
result is (Ci <8> $-m){\ip)(ip\), similarly to the previous case. Once again, we do not run this part of the 
circuit on this state, but the state \ (j>') which is very close to it. Once again we can apply the monotonicity 
of the trace norm under quantum operations and Equation @ to show that 

\{C® Imimm - (Ci ® laXIVOWlUtt < 3 v 7 ? < 3v^. 

Since this equation applies for all reference systems and all states \\p), this proves that if x L, then 
we have || C -Ci || < 3-/?. □ 

Taken together, these two proposition prove the hardness of the CT problem. Note once again that 
in order for the CT problem to be well defined (i.e. the set of 'yes' instances does not intersect the set 
of 'no' instances) we require that circuits from the two families are not too close together for any large 
subspaces of pure input states. See the discussion following Problem [3] for a technical condition that is 
equivalent to this requirement. 

Theorem 6. CT(e,5, ^o, is QMA-hardforanyO< s < 1 such thats > 2~p for some polynomial p, any 
constants < 5 < 1, and any uniform circuit families ^ for which the problem is well-defined. 

Proof. The correctness of the reduction is argued in In Propositions [4] and [5j It remains only to verify 
that the reduction can be performed efficiently. To see that the reduction can be performed in time 
polynomial in the size of the input x (which is at most polynomially smaller than the size of the circuit 
V: the only part of the reduction that can cause a problem the size of the space since we have taken 
dim^ = |^dim J^' 1_5 '/ 5 j . This implies that the space & requires a factor of (1 — 5)/5 more qubits than 
the space J^f, which is linear in the input dimension so long as 5 is a constant. This implies that the 
reduction can be performed in (classical deterministic) polynomial time. □ 



3.2 Applications 

In this section we apply Theorem [6] to reprove the hardness of some of the circuit problems that are 
known to be hard for QM A as well as to show the QM A-hardness of some new circuit problems. 

The first problem we consider is a slightly generalized version of the problem Non-identity Check 
studied by Janzing, Wocjan, and Beth El , who show that it is QMA-complete. Our version of the prob- 
lem differs in that we allow the input circuit to be a mixed-state circuit. We do still require, however, that 
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if the circuit does not act like the identity everywhere, then it acts like some efficient unitary circuit U on 
some input state for which U is far from the identity. This requirement is not needed to prove that this 
problem is hard, but it is hard to see how to put the problem into QMA without it. 



Problem 7 (Mixed Non-identity Check |13|]). Let < e < 1. On input C, a circuit in e T{2€ ,3C), the 
promise problem is to decide between: 

Yes: || C — 1 1| > 2 — s and there exists an efficient unitary U such that on some pure state \ip) e X we 
have||c(|^)(V'|)-^|^)<«/'|y*|| tt <«and||f7|«/))(j/'|f/*-|j/')<V'l|| tr >2-g. 

No: ||C-l|| <e. 

The QM A-hardness of this problem follows from Theorem[6]and the fact that CT(£, 1, , 1) is a special 
case of the problem, where "?/ is any uniform family of quantum circuits that are not close to the identity 
(one such example is the family of circuits that apply Pauli X to the first input qubit). 

The next problem we consider is the problem of detecting whether a (mixed-state) circuit is close to 
an isometry, which was shown to be QMA-complete in [lfj]. This can be formalized as the problem of 
detecting if there is a pure input state one which the output state is highly mixed. 

Problem 8 (Non-isometry |l8|]). Let < s < 1/2. On input a circuit C e T{3C , <3/) the promise problem is 
to decide between: 

Yes: There exists | ip ) e dC such that 1 1 ($ <g> ILr XI ip) ( ip |) 1 1 < e, 
No: For all l?/"}^, ||($® U 3fr )(|j/>)(^|)|| oo > 1 - e. 

The QM A-hardness of this problem follows from Theorem[6j since CT(£, 1,Q, 1) is a special case. 

We can also apply Theorem[6]to show the hardness of the problem of determining if a channel has a 
pure fixed point. This problem can be stated as follows. 

Problem 9 (Pure Fixed Point). Let < s < 1. On input a circuit C e T{X ,!%) the promise problem is to 
decide between: 

Yes: There exists \xp) (=% such that ||C(|j/>)(t/>|)- |r/»)(t/)||L< e 
No: For any | ip) e3C, |c(|t/>)0/»|)-|»/'X«/'l|| tr ^2-g 

The QM A-hardness of this problem follows from the fact that CT(e, 1, l,f2) is a special case. 

A related problem is determining if the minimum output entropy of a quantum channel is small. 
Related results can be found in [5|], though the model used there seems to be incompatible with the 
model used in the present paper. In order to define this problem, let S m i n (C) = min p S(C(p)) be the 
minimum output entropy of the channel C (where S is the von Neumann entropy) . 

Problem 10 (Minimum Output Entropy). Let < e < 1/2. On input a circuit C e T{3£ ,3£) the promise 
problem is to decide between: 

Yes: S min (C)< elog dim 3C 

No: S min (C) >(l-e)logdim^T 

As in the previous case, the QMA-hardness of this problem follows from Theorem [6] and the fact that 
CT(s/2, 1, H,n) is a special case. The log dim 3C terms in the statement of the problem are due to the use 



of Fannes Inequality llO|] to transform trace distance bounds to entropy bounds. 
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4 Detecting Insecure Encryption 



In this section we consider the problem of detecting when a two-party symmetric key quantum encryp- 
tion system is insecure. We first use Theorem[6]to show that this problem is hard, and then give a QMA- 
verifier to show that it is QM A-complete. The problem can be defined as follows. 

Problem 11 (Detecting Insecure Encryption). For < e < 1 and < 5 < 1 an instance of the problem 
consists of a quantum circuit E that takes as input a quantum state as well as a m classical bits, such that 
for each k e {0, \) m the circuit implements a quantum channel Ek e T(J^, J*T) with dim X > dimJf. The 
promise problem is to decide between: 

Yes: There exists a subspace S of Jtf? with dimS > dim 2ft? 1-5 such that for any reference space 3?., any 
pGD(S®J), and any key k, \\{Ek®l&)(p)- p\\ tY <£. 

No: E is an e-private channel, i.e. ^Xjtejo i} m ^ k Wo — s ' wnere ^ * s me completely depolarizing 
channel in T(Jtff, JT), and there exists an polynomial-size quantum circuit D such that for all k we 

have||D fc o.E fc -l ? H^<g. 

When the values of e and 5 are significant, we will refer to this problem as Dl^g. 

Informally, this is the problem of distinguishing two cases: either the channel fails to encrypt a large 
subspace of the input qubits (for any key), or the channel is very close to a perfect encryption channel. 

Theorem 12. DI Si s is QM A-hard for all < e < 1/2 andallO < 5 < 1. 

Proof. Let 8k = {Qk,n} where £lk,n is the n-qubit channel that applies the kth Pauli operator to the input 
qubits. As in Equation Q} averaging over all over all keys k results in the completely depolarizing channel 
on n qubits. Then, Theorem[6]implies that CI{e,5, Ik, 8k) is hard for Q MA, where Ik is the channel that 
discards the key k and does nothing to the quantum input. 

The problem CT(e, 5, Ik, @k) involves a slight redefinition of the problem CT to include both a quan- 
tum input, as well as a classical input k. This can be done without difficulty by including the classical 
input as part of the quantum input (to circuits in the families Ik and 8k) that is immediately measured 
in the computational basis (and in the case of 1^, discarded). The problem CT(e, 5, It, 8k) remains hard 
after this modification. 

The QMA-hardness of DI f> 5 then follows immediately from the fact that the problem of detecting 
insecure encryption is simply CT(£ , 5,\k,8k) with a weakened promise. Since the sets of 'yes' instances 
of the two problems are identical, we need only verify the 'no' instances. Let the circuit C e T(Jtf?, J*T) be a 
'no' instance of CT[s,5, Ijt.^fc) and let Qt(-) = C(|fc)(fc|® •) be the circuit defined by hardcoding the input 
in the 'key' portion of the input space. Then, for any input p and any key k, we have || Ck — fit || < e, 
since this follows for the versions of these circuits without a hardcoded key (which is just a restriction of 
the input space). From this equation, the triangle inequality implies that 



which is the property required by 'no' instances of DI. To see further that the output of Ck can be de- 




crypted with knowledge of k, observe that fi. o Q k = 1 > and so it follows that 

ll^" 1 oc k -i\l< o c k - n- 1 o n k \l+ on* - 1 \l < \\c k - Ofello < e, 



which implies that instances of CT(e,5, lfc,<ffc) are equivalent to instances of DI f> 5, as required. 



□ 
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4.1 QMA Protocol 



To test the security of an encryption system in Q M A the Verifier will need a tool to compare two quantum 
states. Such a tool is provided by the swap test, introduced in |8] , though here we essentially use it to test 
the purity of quantum states as is done in (jj . 

The swap test is an efficient procedure that makes the projective measurement onto the symmetric 
and antisymmetric subspaces of a bipartite space. Let W be the swap operation on , i.e. W(\ip}<8 

10)) — 10) ® IVO for a U IV')' 10) e ^ ■ The swap test performs the two-outcome projective measurement 
given by the projection onto the symmetric subspace, given by (1 ,ye®.ye + W")/2, and the projection onto 
the antisymmetric subspace, given by {\ye®ye — W)/2. 

Given two pure states |i/»),|0), the swap test returns the symmetric outcome with probability (1 + 

I |2 

('/'I0) V 2 - When applied to mixed states p,cr, the swap test can also be used to estimate the overlap, 
as the result is symmetric with probability (1 + tr(pcr))/2, as observed in Q). Notice that this implies that 
the swap test can be used to estimate the purity of a state, given two copies. 

The idea behind the protocol is that if the encryption system specified by E is insecure then, regard- 
less of the key chosen, it acts trivially on some subspace of the input states. In this case a proof can 
consist simply of two copies of some pure state in this subspace. The Verifier runs E on both of these 
states in parallel and tests that they have not been changed by performing the swap test. In the case 
that the circuit is insecure, this proof state will cause the Verifier to obtain the symmetric outcome of the 
swap test with probability approaching 1. Note that this protocol does not check that the input state is 
unchanged, only that the output states of the two applications of E are (close to) the same pure state. 

If E represents a secure encryption system, then without knowledge of the key the output of E is 
close to the completely mixed state, regardless of the input state. In this case the Verifier performs the 
swap test on two highly mixed states and the result is antisymmetric with probability close to 1 /2. 

This protocol can be formalized as follows. A circuit implementation can be found in FigurelU 

Protocol 13. On input a circuit E: {1, ... ,K] ®D(J^f ) — > D(JT), an instance of DI s ,s, as well as a quantum 
proof |0) in D((^ ®3%)® 2 ) (where dim 5? = dim^), the Verifier performs the following protocol. 

1. The Verifier generates random keys fci, &2 G {1, ... , K}. 

2. The Verifier applies (E^ ® ® {Ek 2 ® 1.*) to the state |0). 

3. The Verifier applies the swap test to the resulting state, accepting if the outcome is symmetric. 

The reference space Sft, appears in this protocol, but Problem [U] places no upper bound on the size 
of this space, and the value of the norm being verified may increase with the size of the space 5?. Fortu- 
nately, this process stabilizes when dim 5? = dim #6 , and so we may assume that this space is of this size, 
which at most doubles the number of input qubits to the protocol. 

A straightforward argument based on the continuity of measurement probabilities (here given as 
Lemma[Q can be used to show that this protocol is correct. 

Proposition 14. ForO < s < 1/8, Protocol[T3{ is a QMA protocol for Dl Ei 5 . 

Proof. If £ is a 'yes' instance of DI f 5, then there exists a state \ip) G #6 ®9l such that for any key k e 
[1,...,K] we have | i?jfc(|j/>)(i/>|) — |?/ l )(«/ , ||| tr < £, where throughout this proof we use the shorthand nota- 
tion Ejc = Ek® 1%. Let the input state be |0) = \ip) ® \ip). Fixing notation further, let Ek{\ip){ip\) = o"fc. 
Applying E^ <8> Ek 2 to \ip) ® \ip) results in a state a ^ <g> a ^ that satisfies 

lltrfa ® o-fe - mm 9 |0)(J/>||L < 2e, (6) 
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swap 
test 



10) 



10) 



Figure 4: The Verifier's circuit in the QMA protocol. 



which follows from the triangle inequality. Then, since the state <8> \ip)(ip\ is symmetric and we 

can view the swap test can be viewed as a projective measurement, Lemma[T]shows that the swap test 
returns the symmetric outcome on a ^ <8> cr k 2 with probability at least 1 — 2e. This implies that when the 
circuit E is not secure the Verifier accepts with high probability. 

It remains to show that when the circuit E is a 'no' instance of DI fi 5 the Verifier does not accept 
any proof state with high probability. In this case we know that ||Xit=i Et — ft\\ /K — e - Once more, a 
straightforward argument using the triangle inequality can be used to argue that the tensor product of 
two copies satisfies the equation ||Xfc /=i Ek ® E] — n®f2|| o /X 2 < 2s. This implies that regardless of the 
proof state \ip) the input to the swap test is within trace distance 2e of the completely mixed state. On 
such a state, Lemma[T]implies that the swap test returns the symmetric outcome with probability at most 



1 1 
tr 

2 2 



1 



dimJf 



1 1 

2s = - + 2e, 

2 2dimJf 



and so the probability the Verifier accepts is bounded above by 1/2 + 2e. Thus, when e < 1/8, there is a 
constant gap between the acceptance probabilities in the two cases, and so DI Si § e QM A. □ 

Combining the previous Proposition with Theorem[l2]we obtain the main result. 

Theorem 15. ForO < e < 1/8 andO < 5 < 1, the problem Dl £i s is QMA -complete. 



5 Discussion 

We have shown the QMA-hardness of a general version of the problem of testing the behaviour of a 
quantum circuit. This result generalizes the proofs of hardness for many of the known circuit problems 
that are Q M A-hard [l3|,[l8fl , as well as allows for simple proofs of hardness for new circuit problems. As an 
application of this result we have shown that the problem of detecting insecure encryption is complete 
for QMA by in addition finding an efficient QMA verifier for the problem. 
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An open problem related to this is to find a QMA verifier for the Pure Fixed Point problem, or an 
argument that the problem is likely to lie outside of the class. The direct approach to construct a verifier 
using the swap test on (ideally) two copies of the fixed-point state, similar to the verifier in [18], does not 
seem to work: the circuit that measures a qubit in the computational basis and then applies the Pauli X 
gate, when applied to half of the input space, maps the symmetric state |01) + 1 10) to a symmetric state. 
This circuit, however, does not have any pure (approximate) fixed points. 
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